1. Field of the Invention
This invention relates to authentication systems and artificial intelligence, specifically to an inference system for troubleshooting and maintenance of authentication apparatus.
2. Description of Related Art
To prevent unauthorized access to systems and facilities, many corporations and agencies provide their staff with personal authentication devices such as the credit card sized calculator device in U.S. Pat. No. 4,720,860 to Weiss, Jan. 19, 1998. These devices (tokens) augment or replace traditional password authentication systems (password systems). Token-based authentication provides superior security, when compared to password authentication. Once in use, authentication tokens allow the staff members to obtain secure access to corporate resources. Often these resources are critical to performing tasks.
When put into practice, these devices and the system components that are necessary for operation (token authentication system) can be comparatively complex. Specifically, the commercial system using Weiss""s apparatus has a complexity of usage and of operating state in excess of password systems. The complex states of token authentication systems increase the likelihood of authentication trouble. Whereas password systems have a trivial problem state, token authentication systems have many problem states due to the complexity. The erroneous rejection of an authorized user during authentication is the primary symptom. Historically, the rate of problem occurrence in token authentication systems exceeds that of password systems. Problem states for token authentication systems include user not knowledgeable of token usage, user forgot PIN (personal identification number), token expired, token disabled, and time reference drift. The problem occurrence rate scales up when thousands of users are given authentication devices. The problem states for password systems is trivial, the user forgot the password. Authentication problems with tokens are typically of high urgency, since the staff member with the problem cannot obtain access to the systems needed to perform a task. To enable the staff member to perform their task in a timely manner, the problem should be remedied as quickly as possible. Unfortunately due to the increased complexity, token authentication problems require more time and skill to solve, when compared to password systems. The delay may result in loss of productivity for the staff members unable to attain system access.
Also due to the increased complexity, token authentication systems require system knowledge and skilled troubleshooting when problems arise. These skills are unique to the particular token authentication system and exceed the skills required for password systems. Authentication problems are typically solved by service personnel, which are trained to solve many types of problems. Service personnel need additional training and on-the-job experience to build the skills necessary for solving problems specific to token authentication systems. The training consumes more resources than those required for password systems. There is a time lag between the time the service personnel start training and the time when troubleshooting proficiency is attained. During that time before proficiency is reached, staff members with authentication problems who call these service personnel, will receive degraded service with possible loss in productivity. Of course, degraded service is counter to the goals of all service organizations.
Troubleshooting complex authentication systems in an urgent service environment demands a high degree of attention and focus from the service personnel. Issues that must be managed simultaneous to the troubleshooting activity will, in all likelihood, receive reduced attention. This can result in reduced attention on one key issue, the awareness of security and security policies. Unfortunately, reduced attention on security enhances the opportunity for successful security attacks, targeted on the service personnel themselves. This class of security attack is known as xe2x80x9csocial engineeringxe2x80x9d. It is understood that, social engineering attacks primarily take advantage of situations that reduce security awareness. Troubleshooting complex systems is a situation that draws attention away from security, thereby weakening security.
When thousands of staff members use token authentication, many skilled service personnel need to be on duty at all hours to solve potential authentication problems. To properly service thousands of staff members using token authentication, the number of service personnel must be increased or the existing personnel must be increasingly burdened. The overall effect is an increase in resource requirements to properly service thousands of users who have authentication tokens. These resource increases are in excess of those needed for password authentication.
Thus when put into practice, authentication tokens introduce a new and complex system to the array of systems already present. Due to the critical need that users be able to access the systems being protected by tokens there is a requirement to consistently, quickly and securely troubleshoot and maintain the complex system.
Accordingly, several objects and advantages of this invention are:
(a) to provide an inference system that quickly and accurately solves authentication problems in the complex systems used for token authenticationxe2x80x94this addresses the increased problem occurrence rate introduced by the added system complexity and addresses the need to urgently solve user authentication problems manifest in complex authentication systems;
(b) to provide an inference system that delivers consistent, expert-level performance for token authentication system troubleshooting in spite of the variable skills of service personnelxe2x80x94this eliminates degraded troubleshooting performance, due to service personnel who are not skilled in token authentication troubleshooting;
(c) to provide an inference system that reduces the service skills and system knowledge required for token authentication system troubleshootingxe2x80x94this reduces the resources needed to train a large number of service personnel to be proficient at authentication troubleshooting;
(d) to provide an inference system that reduces the demand for service personnel attention and explicitly reminds service personnel of security policy during operations that are encountered as a result of authentication problemsxe2x80x94this raises the security awareness of personnel, which is the primary defense against social engineering attacks;
(e) to provide an inference system that can be used by staff members with authentication tokens to solve their own authentication problems without using service personnelxe2x80x94this further reduces the service resources needed to troubleshoot authentication problems;
(f) to provide an inference system that can be used to automatically perform administrative tasks required to maintain authentication systems;
Further objects and advantages are to provide an inference system which can be integrated with an authentication system, which has self-contained artificial knowledge or patterns related to troubleshooting and maintaining authentication systems, which contains sufficient knowledge or patterns to solve the classes of authentication problems that consume service resources, which enables companies and agencies to avoid large increases in service resources when deploying authentication tokens to thousands of users, which contains knowledge or patterns that can be enhanced to solve new problems as they are discovered. Still further objects and advantages will become apparent from a consideration of the ensuing description and drawing.
The objects of the invention are achieved through troubleshooting apparatus for use with a user authentication subsystem of a type that employs a complex user authentication technique such as authentication by token. The apparatus receives inputs from and produces outputs to an interactive interface that a troubleshooter uses to do the troubleshooting. The apparatus includes an authentication information database in the user authentication subsystem and an authentication problem solving system. The authentication information database system responds to a query by providing a result that typically includes state information about the authentication system. The authentication problem solving system includes an inferencer which is able to draw inferences based on information that is known to the inferencer, that is received from the interactive interface, or that is received from the authentication information database. The problem solving system responds to an input from the interactive interface by providing a query to the authentication information database and responds to a result of the query by providing an output to the interactive interface. The provision of the query and/or the output involves the use of the inferencer.
The output to the interactive interface may be or include a security warning for the problem solver, and the query may specify a modification of the authentication information database. The authentication problem solving system may provide an indication of the proposed modification to the interactive interface and provide the query in response to an input from the interactive interface, giving the troubleshooter the option of permitting the modification or not.
One way of implementing the inferencer is by means of a knowledge base including rules and facts. The rules are fired in response to the facts, the fact being contained in the knowledge base, having been received from an input, and/or having been received in a result of a query. The output to the interactive interface is the result of the firing of one or more rules.
The troubleshooting apparatus is particularly useful when the complex user authentication technique involves a token that the user uses to authenticate himself to the user authentication subsystem. The troubleshooting apparatus receives an identifier associated with the token from the interactive interface and uses the identifier to obtain authentication state associated with the token from the authentication database.